Re: Kuang2 strikes again, is it just me?

From: Paul Dokas (dokasat_private)
Date: Mon Feb 17 2003 - 09:57:34 PST

Next message: Brad Griffin: "RE: www.nopop.net"

Previous message: Alberto Cozer: "Re: Web Defacement"
In reply to: Rob Shein: "RE: Kuang2 strikes again, is it just me?"
Next in thread: Johannes Ullrich: "Re: Kuang2 strikes again, is it just me?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 15 Feb 2003 23:02:48 -0500 "Rob Shein" <shotenat_private> wrote:
> Ah, a honeypot...a good question comes to mind.  Does anyone have any info
> on what a Kuang2 backdoor looks like to a scanner?  I'd rather not install
> one myself and work to figure it out if anyone else has done the work
> already...

I just caught one on one of my /16 networks.  I noticed the machine because it created
several GB of IP Protocol 255 traffic last night aimed as a cablemodem.  Here's what an
NMAP of the machine looks like:

  (The 65528 ports scanned but not shown below are in state: closed)
  Port       State       Service (RPC)
  80/tcp     filtered    http
  135/tcp    open        loc-srv
  139/tcp    open        netbios-ssn
  445/tcp    open        microsoft-ds
  1025/tcp   open        NFS-or-IIS
  5000/tcp   open        UPnP
  17300/tcp  open        unknown
  Remote OS guesses: Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3

It's definitely got Kuang2 on it:

  % telnet 128.101.X.Y 17300
  Trying 128.101.X.Y...
  Connected to XXXXXXXXX.umn.edu.
  Escape character is '^]'.
  YOK2BENNY°ùR>õõwè       >>6>ùR ûR$øw U÷wÿÿõõwÍõwõw-ww(üRwh% 

And, Nessus flags 17300/TCP as Kuang2.

Grabbing some traffic to/from the machine, it appears to only be doing
IRC at the moment:

  11:45:44.910196 209.126.161.29.ircd > XXXXXXXX.umn.edu.4171: P 1153785951:1153786075(124) ack 8633779 win 32120 (DF)
  11:45:45.095084 XXXXXXXX.umn.edu.4171 > 209.126.161.29.ircd: . ack 124 win 17209 (DF)
  11:45:49.530129 209.126.161.29.ircd > XXXXXXXX.umn.edu.4171: P 124:206(82) ack 1 win 32120 (DF)
  11:45:49.705017 XXXXXXXX.umn.edu.4171 > 209.126.161.29.ircd: . ack 206 win 17127 (DF)

Dumping the TCP session shows traffic in the channel:

  :Nosibvyzt!~Nosibvyzt@pc1-nfds2-6-cust10.nott.cable.ntl.com JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :wolhglsli!~wolhglsliat_private QUIT :Read error: 104 (Connection reset by peer)^M
  :Skrcgirl!~Skrcgirl@Morristown-68-118-83-195.chartertn.net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Rbizcoced!~Rbizcoced@dhcp024-210-152-184.woh.rr.com QUIT :Ping timeout: 600 seconds^M
  :Kadisfutr!~Kadisfutrat_private QUIT :Ping timeout: 600 seconds^M
  :mskspwn!~mskspwnat_private QUIT :Read error: 104 (Connection reset by peer)^M
  :Woicdonic!~Woicdonic@usr3152-edi.blueyonder.co.uk JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :mlkaglali!~mlkaglaliat_private QUIT :Read error: 104 (Connection reset by peer)^M
  :Rosjhgly!~Rosjhglyat_private JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Sscpceih!~Sscpceih@cable1-137.shenhgts.net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Diencoke!~Diencokeat_private QUIT :Ping timeout: 600 seconds^M
  :Mikemlyt!~Mikemlytat_private JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Kiwnpdti!~Kiwnpdti@12-252-81-85.client.attbi.com JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Mixeboyz!~Mixeboyz@c-97e472d5.038-85-73746f37.cust.bredbandsbolaget.se JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Aglfsoush!~Aglfsoush@pm3-2-210.htg.net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :rarmnyj!~rarmnyjat_private QUIT :Read error: 104 (Connection reset by peer)^M
  :Migegtki!~Migegtkiat_private QUIT :Ping timeout: 600 seconds^M
  :Niwfmlnep!~Niwfmlnepat_private-dialin.net QUIT :Ping timeout: 600 seconds^M
  :kirmrao!~kirmrao@user-1694.bbd18tcl.dsl.pol.co.uk QUIT :Ping timeout: 600 seconds^M
  :Radicolwi!~Radicolwiat_private QUIT :Ping timeout: 600 seconds^M
  :Rhcvmicha!~Rhcvmicha@HSE-London-ppp208618.sympatico.ca JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :radieilha!~radieilha@adsl-153-99-155.mia.bellsouth.net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Oaycboy!~Oaycboy@CZ1-RAS-1-u-0078.du.onolab.com QUIT :Ping timeout: 600 seconds^M
  :garcpiche!~garcpiche@ASte-Genev-Bois-111-1-1-161.abo.wanadoo.fr QUIT :Ping timeout: 600 seconds^M
  :Siepslu!~Siepslu@cable-213-132-151-242.upc.chello.be QUIT :Ping timeout: 600 seconds^M
  :Stmpsoueh!~Stmpsouehat_private-szeged.hu QUIT :Read error: 104 (Connection reset by peer)^M
  :Siepslu!~Siepslu@cable-213-132-151-242.upc.chello.be JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :Tirxplt!~Tirxplt@ool-18bc17fc.dyn.optonline.net JOIN :#\xf1\xe0\xe9\xfc\xee\xe9\xf0\xecl^M
  :gagsiok!~gagsiok@AValence-101-2-1-139.abo.wanadoo.fr QUIT :Read error: 104 (Connection reset by peer)^M

Looks like a bot net to me.


Paul
-- 
Paul Dokas                                            dokasat_private
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brad Griffin: "RE: www.nopop.net"
Previous message: Alberto Cozer: "Re: Web Defacement"
In reply to: Rob Shein: "RE: Kuang2 strikes again, is it just me?"
Next in thread: Johannes Ullrich: "Re: Kuang2 strikes again, is it just me?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 17 2003 - 14:06:33 PST